The SharePoint Share That Passed Every Check: A Compromised M365 Tenant With DMARC Reject and Tokenized Links

The email looked like every other SharePoint file share: a blue "Open" button, a filename, and a sender address from a domain registered nine years ago. SPF passed. DKIM passed. DMARC passed with a policy of p=reject at 100% enforcement. Every link resolved to Microsoft-hosted SharePoint infrastructure and scanned clean.

This was not a spoofed email bypassing authentication. This was a legitimate tenant sending from inside the trust boundary.

A Compromised Tenant With Perfect Credentials

The sending domain packnfresh[.]com was registered in 2017. Its MX records pointed to Microsoft 365 protection infrastructure. SPF authorized spf.protection.outlook.com. DKIM selectors were configured and signing correctly. DMARC was set to p=reject; pct=100, the strictest enforcement level available. The domain's DNS posture was cleaner than most Fortune 500 companies.

The message was sent from logistics@packnfresh[.]com through outbound.protection.outlook[.]com, the standard Microsoft outbound relay. ARC seals at both hops validated correctly. From the perspective of every authentication protocol, this was a trusted sender operating within properly configured infrastructure.

That is exactly the problem with compromised-account attacks. The attacker does not need to build infrastructure, register domains, or configure DNS records. They inherit everything from the account they take over.

Links That Went to the Right Place

The SharePoint sharing links pointed to packnfresh-my.sharepoint[.]com with long, tokenized query parameters containing xsdata and sdata values. These CNAME to Microsoft-hosted SharePoint endpoints. URL scanners checked the domain reputation (Microsoft), the certificate (valid), and the HTTP response (200 OK) and returned "clean."

The tokens themselves are opaque strings that grant access to whatever the attacker shared. It could be a legitimate-looking PDF that prompts for Microsoft credentials before opening. It could be a document containing a secondary phishing link. The scanning system evaluated the link destination. It did not, and could not, evaluate what happened after the recipient clicked "Open" and authenticated.

The Template Inconsistencies

Two details separated this from a legitimate share. The message body contained duplicated sharing blocks, a rendering artifact that suggests the notification was generated or modified outside the standard SharePoint sharing flow. And the company name appeared in two formats ("PacknFresh" and "Pack'n Fresh") across the notification template, an inconsistency that a native SharePoint share would not produce.

Themis, the IRONSCALES Adaptive AI engine, flagged the message on the combination of first-time sender behavior, the external sender classification by the recipient's tenant, and the formatting anomalies in the sharing notification. The mailbox was quarantined before the link was clicked.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping